Puppet 實現 LNMT(session_server) 自動化部署的實例
實驗環境介紹及準備
本實驗計劃配備四臺主機,均使用CentOS7系統,使用 puppet 及 puppet-server 均爲 3.8.7-1.el7.noarch 版,facter程序使用 facter-2.4.6-1.el7.x86_64 版。
由於本實驗集羣內主機數量較少,主機間角色識別方式採用修改 /etc/hosts 文件方式,在實際生產環境中,若集羣內主機數量較多,應使用內部 DNS 服務器。
- 本實驗主機IP及角色分配
主機名(短) 主機名(長) IP地址 角色分配
node1 node1.achudk.com 172.16.50.1 Master
node7 node7.achudk.com 172.16.50.7 Agent
node11 node11.achudk.com 172.16.50.11 Agent
node12 node12.achudk.com 172.16.50.12 Agent
實驗過程實例
首先同步時間
- 保證主機間能互相識別角色,修改 /etc/hosts 文件並分發至其他主機
#修改hosts文件
vim /etc/hosts
#修改如下
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
172.16.50.1 node1.achudk.com node1
172.16.50.7 node7.achudk.com node7
172.16.50.11 node11.achudk.com node11
172.16.50.12 node12.achudk.com node12
#分發hosts文件並確認
scp /etc/hosts root@172.16.50.7:/etc/
scp /etc/hosts root@172.16.50.11:/etc/
scp /etc/hosts root@172.16.50.12:/etc/
安裝程序包
- Master節點主機
yum install -y puppet-3.8.7-1.el7.noarch.rpm facter-2.4.6-1.el7.x86_64.rpm puppet-server-3.8.7-1.el7.noarch.rpm
- Agent節點主機
yum install -y puppet-3.8.7-1.el7.noarch.rpm facter-2.4.6-1.el7.x86_64.rpm
修改配置文件
- Master節點
vim /etc/puppet/puppet.conf
#在[main]配置段中增加一項內容,定義部署環境的路徑
environmentpath = $confdir/environments
#創建部署環境目錄
mkdir -pv /etc/puppet/environments/{development,production,testing}/{manifests,modules}
- 每個Agent節點
vim /etc/puppet/puppet.conf
#在[main]配置段中增加以下內容
listen = true #爲了能及時接收到Master主機的配置變化信息,啓動監聽8139端口
server = node1.achudk.com #設定Master主機的主機名
environment = production #設定部署環境
vim /etc/puppet/
#在最後兩行之前,增加以下內容
path /run
method save
auth any
allow node7.achudk.com
#以下爲文件自帶的最後兩行內容
path /
auth any
puppet 通過https協議保證安全通信,且採用Master和Agent雙向認證,配置雙向認證
- 初始化Master節點:程序會自動生成私鑰並自籤CA
#啓動puppetmaster服務並查看8140端口
systemctl start puppetmaster
ss -tnl
- 每個Agent節點
爲了能夠在前臺查看執行過程,可將puppetagent服務以非守護進程形式運行,
puppet agent --Server node1.achudk.com -d -v --no-daemonize
- 在Master節點查看Agent節點發來的CA請求並簽署
puppet cert 命令使用方法:
puppet cert <action> [-h|--help] [-V|--version] [-d|--debug] [-v|--verbose] [--digest <digest>] [<host>]
- 查看請求並簽署
puppet cert list --all #查看全部已簽署和未簽署的請求,也可以僅查看某主機的情況
puppet cert sign --all #因本集羣配置在私有網段,與公網隔離,故安全性較高,否則禁止使用--all選項,應對某主機單獨簽證
- 簽署後,再次查看所有證書籤署情況,確認本實驗分配所有主機的請求已被簽署
簽署成功的主機前面會有個 “+” 符號
puppet cert list --all
#結果如下:
+ "node11.achudk.com" (SHA256) 7F:E0:E7:2A:E3:2B:CA:8B:C0:F5:BA:D7:18:B9:8C:3A:F2:EB:AE:AB:E7:D6:9D:4B:D8:01:B0:B7:74:99:14:1C
+ "node12.achudk.com" (SHA256) 31:DB:00:DC:BC:4C:D7:16:0C:38:6F:D2:AA:9C:D7:9E:9D:59:6B:2C:36:6D:35:86:90:F0:C2:B8:12:CC:50:F9
+ "node7.achudk.com" (SHA256) 11:DB:AA:5A:CD:E4:A3:A2:F3:47:3D:78:61:2A:B8:FB:E5:6C:17:5F:D6:78:2D:FB:0C:99:13:09:F0:38:15:EC
+ "node1.achudk.com" (SHA256) C8:4D:B4:91:08:C0:F3:A5:EF:03:CC:0A:C5:7C:53:E7:CC:21:C3:72:2B:66:0F:E5:13:06:A5:85:25:E4:0B:C0 (alt names: "DNS:node7.achudk.com", "DNS:puppet", "DNS:puppet.achudk.com")
停止Agent節點的前臺puppetagent進程
- 開發本實驗所需模塊
本實驗開發模塊在 /root/modules 目錄下
- chrony時間同步服務模塊
mkdir -pv /root/modules/chrony/{manifests,files,templates,spec,lib,tests}
vim /root/modules/chrony/manifests/init.pp
class chrony {
package{'chrony':
ensure => latest;
} ->
file{'chrony.conf':
path => '/etc/chrony.conf',
source => 'puppet:///modules/chrony/chrony.conf',
} ~>
service{'chronyd':
ensure => running,
enable => true,
}
}
vim /root/modules/chrony/files/chrony.conf
# Use public servers from the pool.ntp.org project.
# Please consider joining the pool (http://www.pool.ntp.org/join.html).
server 172.16.0.1 iburst
#server 0.centos.pool.ntp.org iburst
#server 1.centos.pool.ntp.org iburst
#server 2.centos.pool.ntp.org iburst
#server 3.centos.pool.ntp.org iburst
# Ignore stratum in source selection.
stratumweight 0
# Record the rate at which the system clock gains/losses time.
driftfile /var/lib/chrony/drift
# Enable kernel RTC synchronization.
rtcsync
# In first three updates step the system clock instead of slew
# if the adjustment is larger than 10 seconds.
makestep 10 3
# Allow NTP client access from local network.
#allow 192.168/16
# Listen for commands only on localhost.
bindcmdaddress 127.0.0.1
bindcmdaddress ::1
# Serve time even if not synchronized to any NTP server.
#local stratum 10
keyfile /etc/chrony.keys
# Specify the key used as password for chronyc.
commandkey 1
# Generate command key if missing.
generatecommandkey
# Disable logging of client accesses.
noclientlog
# Send a message to syslog if a clock adjustment is larger than 0.5 seconds.
logchange 0.5
logdir /var/log/chrony
#log measurements statistics tracking
- nginx模塊示例
mkdir -pv /root/modules/nginx/{manifests,files,templates,spec,lib,tests}
vim /root/modules/nginx/manifests/init.pp
lass nginx {
package{'nginx':
ensure => latest,
} ->
service{'nginx':
ensure => running,
enable => true,
}
}
vim /root/modules/nginx/manifests/ngx_proxy.pp
class nginx::ngx_proxy inherits nginx {
file{'nginx.conf':
path => '/etc/nginx/conf.d/ngx_proxy.conf',
source => 'puppet:///modules/nginx/ngx_proxy.conf',
owner => 'nginx',
group => 'nginx',
mode => '0644',
}
Package['nginx'] -> File['nginx.conf'] ~> Service['nginx']
}
vim /root/modules/nginx/files/ngx_proxy.conf
upstream tomcatsrvs {
server node11.achudk.com:8080;
server node12.achudk.com:8080;
}
server {
listen 80;
server_name node1.achudk.com;
location / {
proxy_pass http://tomcatsrvs;
}
}
- jdk8模塊示例
mkdir -pv /root/modules/jdk8/{manifests,files,templates,spec,lib,tests}
vim /root/modules/jdk8/manifests/init.pp
class jdk8 {
package{'jdk8':
name => 'java-1.8.0-openjdk-devel',
ensure => installed,
} ->
file{'java.sh':
path => '/etc/profile.d/java.sh',
source => 'puppet:///modules/jdk8/java.sh',
ensure => file,
}
}
vim /root/modules/jdk8/files/java.sh
export JAVA_HOME=/usr
- tomcat模塊示例
mkdir -pv /root/modules/tomcat/{manifests,files,templates,spec,lib,tests}
vim /root/modules/tomcat/manifests/init.pp
class tomcat {
package{['tomcat','tomcat-webapps','tomcat-admin-webapps','tomcat-docs-webapp']:
ensure => installed,
}
file{'server.xml':
path => '/etc/tomcat/server.xml',
content => template('tomcat/server.xml.erb'),
require => Package[['tomcat','tomcat-webapps','tomcat-admin-webapps','tomcat-docs-webapp']],
}
file{'tomcat-users.xml':
source => 'puppet:///modules/tomcat/tomcat-users.xml',
path => '/etc/tomcat/tomcat-users.xml',
require => File['server.xml'],
}
exec{'createtest':
command => 'mkdir -pv /usr/share/tomcat/webapps/test/{WEB-INF,META-INF,lib,classes}',
path => '/bin:/sbin:/usr/bin:/usr/sbin',
creates => '/usr/share/tomcat/webapps/test/WEB-INF',
# owner => 'tomcat',
# group => 'tomcat',
require => File['tomcat-users.xml'],
}
service{'tomcat':
ensure => running,
enable => true,
restart => 'systemctl stop tomcat && echo "Please wait seconds" && sleep 2 && systemctl start tomcat',
subscribe => Exec['createtest'],
}
}
vim /root/modules/tomcat/manifests/aindex.pp
class tomcat::aindex inherits tomcat {
file{'aindex.jsp':
source => 'puppet:///modules/tomcat/aindex.jsp',
path => '/usr/share/tomcat/webapps/test/index.jsp',
owner => 'tomcat',
group => 'tomcat',
mode => '0644',
}
Exec['createtest'] -> File['aindex.jsp']
}
vim /root/modules/tomcat/manifests/bindex.pp
class tomcat::bindex inherits tomcat {
file{'bindex.jsp':
source => 'puppet:///modules/tomcat/bindex.jsp',
path => '/usr/share/tomcat/webapps/test/index.jsp',
owner => 'tomcat',
group => 'tomcat',
mode => '0644',
}
Exec['createtest'] -> File['bindex.jsp']
}
vim /root/modules/tomcat/templates/server.xml.erb
#在<host>配置段中增加以下一項
<Context path="/test" docBase="test" reloadable="true"/>
vim /root/modules/tomcat/files/tomcat-user.xml
#增加以下幾項
<role rolename="admin-gui"/>
<role rolename="manager-gui"/>
<user username="tomcat" password="tomcat" roles="manager-gui,admin-gui"/>
vim /root/modules/tomcat/files/aindex.jsp
<html>
<head><title>Tomcat_A</title></head>
<body>
<h1><font color="red">TomcatA.achudk.com</font></h1>
<table align="centre" border="1">
<tr>
<td>Session ID</td>
<% session.setAttribute("achudk.com","achudk.com"); %>
<td><%= session.getId() %></td>
</tr>
<td>Created on</td>
<td><%= session.getCreationTime() %></td>
</tr>
</table>
</body>
</html>
vim /root/modules/tomcat/files/bindex.jsp
<html>
<head><title>Tomcat_B</title></head>
<body>
<h1><font color="green">TomcatB.achudk.com</font></h1>
<table align="centre" border="1">
<tr>
<td>Session ID</td>
<% session.setAttribute("achudk.com","achudk.com"); %>
<td><%= session.getId() %></td>
</tr>
<td>Created on</td>
<td><%= session.getCreationTime() %></td>
</tr>
</table>
</body>
</html>
- memcached模塊示例
mkdir -pv /root/modules/memcached/{manifests,files,templates,spec,lib,tests}
vim /root/modules/memcached/manifests/init.pp
class memcached {
package{'memcached':
ensure => installed,
}
file{'javolution-5.4.3.1.jar':
path => '/usr/share/java/tomcat/javolution-5.4.3.1.jar',
source => 'puppet:///modules/memcached/javolution-5.4.3.1.jar',
require => Package['memcached'],
}
file{'memcached-session-manager-1.8.3.jar':
path => '/usr/share/java/tomcat/memcached-session-manager-1.8.3.jar',
source => 'puppet:///modules/memcached/memcached-session-manager-1.8.3.jar',
require => File['javolution-5.4.3.1.jar'],
}
file{'memcached-session-manager-tc7-1.8.3.jar':
path => '/usr/share/java/tomcat/memcached-session-manager-tc7-1.8.3.jar',
source => 'puppet:///modules/memcached/memcached-session-manager-tc7-1.8.3.jar',
require => File['memcached-session-manager-1.8.3.jar'],
}
file{'msm-javolution-serializer-1.8.3.jar':
path => '/usr/share/java/tomcat/msm-javolution-serializer-1.8.3.jar',
source => 'puppet:///modules/memcached/msm-javolution-serializer-1.8.3.jar',
require => File['memcached-session-manager-tc7-1.8.3.jar'],
}
file{'spymemcached-2.11.1.jar':
path => '/usr/share/java/tomcat/spymemcached-2.11.1.jar',
source => 'puppet:///modules/memcached/spymemcached-2.11.1.jar',
require => File['msm-javolution-serializer-1.8.3.jar'],
}
exec{'service':
command => 'systemctl start memcached && systemctl enable memcached && systemctl restart tomcat',
path => '/bin:/sbin:/usr/bin:/usr/sbin',
subscribe => File['spymemcached-2.11.1.jar'],
}
}
vim /root/modules/memcached/templates/server.xml.erb
#在<host>配置段中增加以下內容
<Context path="/test" docBase="test" reloadable="true"/>
<Manager className="de.javakaffee.web.msm.MemcachedBackupSessionManager"
memcachedNodes="n1:<%= 'node11.achudk.com' %>:11211,n2:<%= 'node12.achudk.com' %>:11211"
failoverNodes="n1"
requestUriIgnorePattern=".*\.(ico|png|gif|jpg|css|js)$"
transcoderFactoryClass="de.javakaffee.web.msm.serializer.javolution.JavolutionTranscoderFactory"
/>
#將以下幾個 .jar 類文件放置到制定目錄
mv /root/{javolution-5.4.3.1.jar,memcached-session-manager-1.8.3.jar,memcached-session-manager-tc7-1.8.3.jar,msm-javolution-serializer-1.8.3.jar,spymemcached-2.11.1.jar} /modules/memcached/files/
- 定義主機清單文件
vim /root/manifests/site.pp
node 'base' {
include chrony
}
node 'node7.achudk.com' {
include nginx::ngx_proxy
}
node 'node11.achudk.com' {
include jdk8
include tomcat::aindex
include memcached
}
node 'node12.achudk.com' {
include jdk8
include tomcat::bindex
include memcached
}
- 將所有 modules 和 manifest (主機清單) 置於對應的production環境下
mv /root/modlues /etc/puppet/environments/production/modules
mv /root/manifests/site.pp /etc/puppet/environments/production/manifests/
- 啓動Agent的puppetagent服務
systemctl start puppetagent
從節點會自動同步master節點的所有部署內容
- 如果從節點未立即同步部署內容,可使用kick命令來通知所有Agent來同步修改後的部署配置
#在Master節點執行
puppet kick -a